Menu

Mapping the evolving legal landscape

Archives: Privacy

On May 25, 2018, the General Data Protection Regulation (GDPR) became effective across the European Union. The GDPR is a regulation designed to give EU residents control over their personal data and simplify the regulatory framework for international organizations doing business in the EU. In its infancy, it was not entirely clear how the GDPR would be enforced. Now, one year later, the regulation is beginning to show some teeth.

For individual consumers, the GDPR likely calls to mind last year’s flurry of privacy policy email updates from companies scrambling to comply, or perhaps the constant stream of consent pop-ups and cookie banners Europeans navigate on a daily basis when browsing the web. For U.S. companies that do business abroad, however, the GDPR represents a constant struggle to refine their data protection policies, as strict compliance remains an elusive target.

Although many data privacy lawyers disagree on whether strict compliance with the GDPR is even possible, recent enforcement measures have shed some light on how the regulation may be enforced in the future. A review of last year’s enforcement actions should help companies avoid unnecessary penalties and inform them what to expect going forward.…

Much has been written about the European General Data Protection Regulation (GDPR). Commentators have touted the EU’s supposedly superior data protection regimen. But don’t lose focus on what is happening within the U.S. and the implications for U.S. companies that may not be focused on GDPR requirements. Even companies that are GDPR focused may not meet the upcoming requirements. At least three significant privacy legislation fronts in the U.S. bear mentioning:…

The Federal Trade Commission (FTC) recently issued a staff report (available here) on the trend to link consumers’ online behavior across multiple devices. Among other recommendations, the FTC suggests that companies not track sensitive information which may include health, financial, children’s and precise geolocation information without the consumers’ affirmative express consent. The FTC also recommends that all companies engaged in cross-device tracking should truthfully disclose their tracking activities. The FTC reviewed the privacy policies of 100 top websites and only found 3 policies that expressly mentioned enabling third-party cross-device tracking on their websites.…

The United States Court of Appeals for the 9th Circuit continues to decide high profile cases that interpret the key provisions of the Computer Fraud and Abuse Act (CFAA). This post summarizes two July decisions from the court—one that sent the internet into a frenzy, and one that somewhat assuaged those fears.

Overview of the CFAA

The CFAA’s deceptively-simple statutory scheme and language have proved difficult to apply in practice some 30 years after it was enacted. The CFAA creates criminal and civil liability for whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C). “The statute thus provides two ways of committing the crime of improperly accessing a protected computer: (1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly.” Musacchio v. United States, 136 S. Ct. 709, 713 (2016). The CFAA provides a private right of action for “[a]ny person who suffers damage or loss by reason of a violation of this section.” 18 U.S.C. § 1030(g).…

Porter Wright continues its tradition of providing cutting-edge information about how technology affects your business with the 2016 Technology Seminar Series, beginning May 18.

This year’s sessions are:

May 18: Big Data, Data Analytics & the Law 2016: What Your Company Needs to Know About the Evolution of the Next Big Thing

“Big data” is one of today’s most prevalent buzzwords across virtually all industries worldwide. But who truly understands what big data is and how it’s used? How is information collected, stored and analyzed? How are businesses leveraging big data in the workplace and the marketplace? How should companies balance data-driven trend-spotting against consumer protection? What laws or ethical frameworks apply to the use of big data, and how can you be sure your company is complying with them? This seminar provides an introduction to big data analytics, to the legal and strategic issues that big data raises for business, and to the ways that companies can position themselves to handle these challenges. It then zeros in on the use of big data in the modern workplace to illustrate how some of these issues play out in a context familiar to many companies.

Speakers: Dennis Hirsch, Professor of Law, Faculty Director of the Program on Data, Law, Ethics and Policy (DLEAP), The Ohio State University Moritz College of Law and Brian Hall, Porter Wright Morris & Arthur LLP…

Our colleagues at AntirustLawSource.com recently shared parts one and two in a three part podcasting series; “Big data and what can be done with it.” Podcast host and editor, Jay Levine, talks with Phil Rist, executive vice president of Prosper Business Development, about challenges and opportunities for big data in 2016. From the internet of things providing more data available for tracking (Part 1), to using big data for key financial decisions (Part 2), we think you’ll find the discussion quite interesting.

Our colleagues over at Antitrust Law Source recently published a podcast on the inevitable health care data breach and how you can lessen the damages. Some key issues include: when to review data security policies, how to prepare for a potential breach and how to deal with third-party vendor access. Listen to the podcast to find out more.…

Canada’s anti-spam law (CASL), enforced by the Canadian Radio-television and Telecommunications Commission (CRTC), requires that businesses and organizations secure a recipient’s express or implied consent before sending “commercial electronic messages” (CEM). A CEM is any electronic message that encourages participation in a commercial activity, such as a coupon or message about a promotion of the organization, an e-vite, and newsletters sent using email, text messaging or certain forms of messages sent through social networks. The legislation imposes severe fines for non-compliance and leaves open the possibility for private or class actions for damages. CASL has been deemed one of the toughest pieces of anti-spam legislation.

The biggest feature of CASL is the consent requirement, which requires Canadian and global organizations that send CEMs within, from or to Canada to obtain consent from recipients before sending the messages. This requirement does not apply to CEMs merely routed through Canada. The requirement only applies to communications sent to electronic addresses.

Consent may be obtained expressly or may be implied, and it is imperative that an organization, which has the burden of proving that consent was obtained, keep records as to how it obtained consent.…

A few weeks ago, more than 1,000 academics, legal practitioners and government officials convened for one of Europe’s premier privacy law events: the Computers, Privacy and Data Protection (CPDP) conference in Brussels, Belgium. Europeans dominated this crowd but a significant number of participants from other countries, including the U.S., made this a truly international gathering. I was fortunate to attend the conference and be able to present on two panels: “The EU-U.S. Interface: Is it Possible?” and “Privacy by Analogy.” This article provides an overview the conference, identifies the main themes that emerged from the three days of panels and discussions, and draws a few strategic conclusions for a U.S. audience.

Led by Professor Paul de Hert, faculty and graduate students from the Free University of Brussels (Vrije Universiteit Brussel) organized much of the CPDP conference. Leading companies, law firms and public interest groups — including Google, Microsoft, Deloitte, epic.org, HP, Intel and others — sponsor the event. An array of universities and other entities organize the 70 panel discussions that form the backbone of the conference (videos of many of these panels are available online). American universities and organizations are getting more involved. This year, Yale, Fordham, the University of Washington and the U.S.-based International Association of Privacy Professionals (IAPP) each sponsored a panel.

Viewed as a whole, the panel topics offer insight into the key themes that are of concern in European and international privacy law circles.…

The availability of third-party keyboard apps on the new iOS 8 operating system for Apple mobile devices created quite a buzz. It also served as a reminder for any developer of apps that transmit data or communications from a user’s host device to external servers to be cognizant of the risks associated with such data collection, whether intended for misuse or not.

Though previously available on the Android operating system, third-party keyboard apps such as SwiftKey, Fleksy and Swype broke through with Apple for the first time on iOS 8, MacRumors.com and Tech Republic report. iOS 8 comes stock on the newly released iPhone 6 and is available for download on earlier iPhone versions. Third-party keyboard apps provide aesthetic variety and features such as the ability for users to type without lifting their fingers from the keyboard by tracing their fingers between letters or numbers. Some keyboard apps also have the capability of recording a user’s keystrokes and transmitting the data contained in those keystrokes to external servers, according to MacRumors.com and a technology blog written by IT expert Lenny Zeltser. In some cases, this allows the app to require less hard drive storage space on the host device and to provide upgrades more efficiently.…

At the end of last month, Boston hospital Beth Israel Deaconess Medical Center (BIDMC) settled a data breach lawsuit brought by the Massachusetts Attorney General related to the 2012 theft of a physician’s laptop. Under a consent decree entered on Nov. 20, 2014, BIDMC agreed to pay $100,000 and to take a number of steps to ensure future compliance with state and federal data security laws.

The state of Massachusetts filed the enforcement suit against BIDMC on the same day as the consent decree’s entry, alleging that an unauthorized person gained access to a BIDMC physician’s unlocked office on campus in May 2012 and stole an unencrypted personal laptop sitting unattended on a desk. Though the laptop was not hospital-issued, the physician used it regularly for hospital-related business with BIDMC’s knowledge and authorization. The physician and his staff allegedly were not following hospital policy and applicable law requiring employees to encrypt and physically secure laptops containing protected health information and personal information. According to the state, the laptop contained nearly 4,000 patients’ and employees’ protected health information and nearly 200 employees’ personal information, including names, Social Security numbers and medical information. The complaint also alleged that BIDMC failed to notify patients about the data breach until nearly three months later, in August 2012.…

Back in the 1960’s, legendary bluesman Muddy Waters wrote a song called “You Can’t Lose What You Ain’t Never Had.”

Now, it is Sony Pictures that is singing the blues, as damages continue to mount following the cyber attack on its data networks just before Thanksgiving. A shadowy group with possible connections to the North Korean government has claimed responsibility for the hack, which, to date, has resulted in exposure of Sony intellectual property (e.g., movie scripts), trade secrets (e.g., film budgets), employee personal information (e.g., employee and former employee home addresses and social security numbers) and other sensitive information (e.g., actor travel aliases and phone numbers).

I’m no cybersecurity expert, but I’m at the point where I seriously doubt any currently available data security technology is totally hack-proof. Who knows, there may have been precious little that Sony could have done to prevent the loss of its intellectual property and trade secret information to determined hackers. Let’s face it, some of the most highly sophisticated corporations and government agencies have been victimized by cyber attacks in the last year. But the same really can’t be said for their employee data.…

Companies have moved in droves to allow hosting partners to store their mission critical applications — along with valuable business information, trade secrets and customer data — in the cloud. Saving money is great, but do you know where all of your data is at all times, and, more importantly, how secure is it? Every cloud deployment should go “eyes-open” into the cloud. No matter where your data is, you are responsible for it and you will be held accountable for a breach in security of the data.

No company should enter into a contract without considering the following, at the very least:

1. Where is the data being stored, meaning where are the servers (computers) physically located?
This means, be specific in your contracts: “All Customer Data will be housed in Provider’s servers located in Columbus, Ohio” (or wherever your Provider tells you they are).

2. Does your provider use offshore (i.e. outside the continental United States) data centers, or does it access U.S. data centers from offshore?
You may wish to state in your contract that: “If Provider intends store any Customer Data or to provide any services under this Agreement from an offshore location or through offshore personnel, Provider will provide all relevant information to Customer and obtain Customer’s prior written approval.” Why is this? Is off-shore data less secure? Not necessarily, but it may not be possible to get your data back from an international location.…

The holiday season is upon us and by the end of the year, Americans will have spent approximately $600 billion shopping in stores and online. By now, most consumers are aware of a broad range of risks associated with the holidays. We try not to leave packages in our cars in the mall parking lot, and we are careful with our credit card information. We have learned, sadly, how to spot charity scams. And even though it is sometimes tempting, we generally adhere to the warning that “if something looks too good to be true, it probably is.”

In all this — assuming we are not too exhausted from baking cookies, decorating the house and attending countless holiday parties — we may notice that we’re receiving coupons after looking at a company’s website. Or a catalog arrives in the mail after visiting a store, which seems odd because we barely walked through the door and never gave anyone an address. And our favorite social media site keeps showing that purse, watch or power tool we’ve been thinking about buying.…

Saman Rajaee was a salesman for Design Tech Homes. He used his personal iPhone to connect to his employer’s Microsoft Exchange Server, which allowed him to access his work-related email, contacts and calendar from his phone. Design Tech did not have a BYOD policy. When Rajaee’s employment terminated, Design Tech remotely wiped his phone, which deleted all of his data, including personal emails, texts, photos, personal contacts, etc.

Rajaee sued under the federal Stored Communications (SCA) and Computer Fraud and Abuse Acts (CFAA) as well as raising various state law claims. Design Tech moved for summary judgment on the federal claims. On the SCA claim, the court held, based on Fifth Circuit precedent, that information an individual stores to his hard drive or cell phone is not in electronic storage within the meaning of the statute.…

The recent data breaches at Target, Home Depot, and Jimmy John’s have kept data privacy and security in the news lately. But from a legal perspective, there has never been much that the victims of these breaches could do to obtain a remedy in the absence of actual proof of identity or other theft. Indeed, ever since the U.S. Supreme Court decision in Clapper v. Amnesty International, it has been clear that the mere potential for future injury is insufficient to confer standing on a data breach victim to sue. Instead, the plaintiff must prove that injury is “certainly impending,” a standard that was thought to rule out class action lawsuits arising out of data breaches.

Except in California. Bucking the trend for dismissing class actions resulting from data breaches, a federal court in the Northern District of California in In re Adobe Systems, Inc. Privacy Litigation recently denied a motion seeking dismissal based on a lack of standing. The Adobe litigation arose out of a 2013 hacking that caused a data breach that compromised customer debit and credit card numbers and other personal information. In addition to claims brought under California statutory law, the plaintiff customers, like most of the plaintiffs in other data breach class actions, alleged damages as a result of an increased risk of future harm by identity theft and the cost of mitigating that harm. (The plaintiffs also alleged that they suffered economic injury in the form of lost value of the Adobe products that …

On July 7-11, 2014, a group of 25 privacy lawyers met in a historic building overlooking the Keizersgracht, one of Amsterdam’s most beautiful canals, and spent five days learning about U.S. privacy law, European data protection law, and the complex interactions between them. The setting was the Summer Course on Privacy Law and Policy, presented by the University of Amsterdam’s Institute for Information Law (IViR), one of the largest information law research centers in the world. Course faculty included leading practitioners, regulators and academics from both sides of the Atlantic. Course participants came from an even wider geographic area that included Hungary, Greece, Poland, the Netherlands, Hong Kong, Kyrgyzstan, Switzerland, the UK, Belgium and Canada. I was lucky enough to serve as a co-organizer of, and faculty member in, the course. In this post, I describe presentation highlights and identify some cross-cutting themes that emerged during the week.

Dr. Kristina Irion, Marie Curie Fellow at IViR (and the other course organizer) started the course with “An Update on European Data Protection Law and Policy.” The Summer Course does not try to cover every aspect of privacy law. Instead, it focuses on law and policy related to the Internet, electronic communications, and online and social media. In her presentation, Irion analyzed the latest European legal and policy developments in these areas. The most important such development is the proposed General Data Protection Regulation (GDPR) — a major reform proposal that several of the faculty presenters believe will become law …

The Florida Information Protection Act of 2014, aimed at strengthening Florida’s data breach notification law, goes into effect tomorrow, July 1, 2014. The act contains major changes to Florida’s existing data breach notification statute and makes it one of the toughest in the nation.

Shortened notice period

For example, notice to consumers must be given within 30 days of the discovery of the breach or belief that a breach occurred, unless delayed at the request of law enforcement for investigative purposes or for other good cause shown. Previously, the law allowed 45 days for such notice. Fines may be imposed on private entities for failure to comply with the notice provisions ($1,000 per day for the first 30 days following a violation of the notification requirements; $50,000 for each subsequent 30-day period thereafter; and, if the violation continues for more than 180 days, an amount not to exceed $500,000). The notice requirement applies to personal information contained in any computerized data system and is triggered when unencrypted personal information may have been acquired by an unauthorized person.…

Have you ever received an email from LinkedIn with the invitation: “I’d like to add you to my professional network.”? If you did not respond, did you receive a reminder email a week later? And another one a few weeks after that? If you did, or if you were one of the LinkedIn users who (inadvertently) sent out one of these “endorsement emails,” then Perkins v. LinkedIn (N.D. Ca. June 14, 2014) is a class action lawsuit against LinkedIn you might want to keep an eye on.

The crux of the complaint, which has been brought by nine individual plaintiffs as a class suit, is that LinkedIn violated several state and federal laws by harvesting email addresses from the contact lists of email accounts associated with the class plaintiffs’ LinkedIn accounts and used the contacts to spam their users’ contacts with LinkedIn ads. The class complaint alleged five causes of action:

Porter Wright continues its tradition of providing cutting-edge information about how technology affects your business with the 2014 Technology Seminar Series, beginning June 18. This year’s sessions are:

Social media in litigation: a shield and a sword

June 18

The worlds of social media and litigation have collided. Social media evidence is used in employment discrimination lawsuits, in divorce and custody cases, in criminal cases – and intellectual property cases are won and lost based on the information disclosed on social media sites. Like it or not, social media is an aspect of litigation that is here to stay. Sara Jodka, Colleen Marshall and Jay Yurkiw will walk you through how social media affects the way companies prepare for and engage in litigation, including the good, the bad and the ugly. This session will provide guidance about how you can make sure that your company’s social media use will not get the company into hot water. Presenters also will share helpful insights regarding what to do about social media when litigation is filed and identify the biggest social media in litigation hazards.…

Two recent decisions – one from the federal district court in New Jersey and one from a federal Administrative Law Judge – potentially will have significant impact on the Federal Trade Commission’s (FTC) enforcement of business’s data security obligations. (Read more about these cases here and here.)

FTC v. Wyndam Worldwide

In FTC v. Wyndham Worldwide Corporation, the New Jersey federal district court upheld the FTC’s authority to find that a business that has sustained a data breach has committed an “unfair trade practice” in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45(a) when its privacy controls are found to be inadequate. Over the past several years, the FTC has regulated data privacy and security under Section 5(a) by bringing actions against businesses that have sustained data breaches on the ground that the business has committed a deceptive and/or an unfair trade practice. The deceptive trade practice claim typically alleges that the business has failed to live up to its promises to consumers about how it will secure the privacy of their data. More controversially, however, the FTC also has sought to regulate data security by bringing actions against businesses alleging that they had inadequate data security protections even in the absence of any consumer promises. Until Wyndham challenged the FTC authority, these “unfair trade practice” cases brought by the FTC have settled.…

If you believe that a former employee may have taken your trade secrets on his way out the door and you are considering court action to rectify the situation, it is important to have compelling evidence of the misappropriation. But as we discuss in this post, even with compelling evidence of misappropriation, the plaintiff’s failure to have taken “reasonable efforts” to maintain the secrecy of trade secret information may defeat the misappropriation claim.

Let’s review the following set of facts as an example:

An employee has left your company to work for a direct competitor. At that direct competitor, he does the same job he did while working for you. At his new company, he is attempting to contact some of your customers. When he left your company, he did not return his company-issued laptop or iPad. A forensic examination of those devices reveals that after he received a letter from you demanding the return of them, he opened 20 files that you contend contain highly confidential and proprietary information. That same analysis demonstrates that he connected more than 20 flash drives to the laptop after his employment was terminated. Indeed, on the day he returned the computer to you he connected six flash drives to it. He also emailed to his new colleagues a high-level competitive analysis of your company.…

Porter Wright Morris & Arthur LLP

Porter Wright Morris & Arthur LLP offers this blog for general informational purposes only. The content of this blog is not intended as legal advice for any purpose, and you should not consider it as such advice or as a legal opinion on any matters. The information provided herein is subject to change without notice, and you may not rely upon any such information with regard to a particular matter or set of facts. Further, the use of the blog does not create, and is not intended to create, any attorney-client relationship between you and Porter Wright Morris & Arthur LLP or any individual lawyer in the firm. No such relationship will be considered to have been formed until we have had an opportunity to resolve any conflict of interest issues and have advised you, in writing, of the nature and scope of the legal services to be provided. Unless we establish an attorney-client relationship with you with regard to the particular matter, we will not treat any information that you may send to us, or submit as a comment to a blog article or entry, as confidential or privileged, and any unsolicited communications may be disclosed to other persons without regard to confidentiality considerations. Use of the blog is at your own risk, and the site is provided without warranty of any kind. We make no warranties of any kind regarding the accuracy or completeness of any information on this blog, and we make no representations regarding whether such information is reliable, up-to-date, or applicable to any particular situation. Porter Wright Morris & Arthur LLP expressly disclaims all liability for actions taken or not taken based on any or all of the contents of this blog, or for any damages resulting from your viewing and use of this blog.